[Proposal] Frictionless higher security log-in

[monsterer]

Hi guys,

I want you to shoot this idea down / point out the horrible flaws:

Frictionless default log-in for bitcoin sites which need high levels of security to protect user assets.

We already have Google Authenticator and Yubi-key which you can add to sites like MtGox to increase the security of a log-in, but by default we are still left with a plain old single password system which can be exploited by malware key-loggers.

What I propose is that after the standard password log-in, a secure site should email the user with a link or log-in code which expires in N minutes time and that gives the user more secure access to the site.

It's frictionless because nearly all sites already hold the user's email address (acquired during sign up), so no special hardware or SMS to mobile phone is required. It's more secure than a straight password system because a key-logger attacker would have needed to extract passwords to both the site in question AND your email account in order to compromise it.

I further propose that the user should then be able opt out of this method and into the more secure Google Authenticator if they so chose. So this is not a replacement by any means, but it should be a decent upgrade to default single passwords.

What do you think?

Cheers, Paul.

[stormos]

You can be sure that an attacker who installed the keylogger will get access to victim's email. It is better to transfer a session code through alternate channel, such as SMS

[BitPirate]

E-mail is usually the easiest vector to compromise a user's login ID in the first place.

Many attacks go like this:
- Get access to e-mail
- request password reset (is done via e-mail usually)
- Log in

Two-factor authentication is on the verge of becoming mainstream; passwords are increasingly futile.

In 2 years, users who don't use 2FA will be in the minority -- it is really quite scary to consider how insecure passwords alone are. Not just because of keyloggers, but because most are ridiculously easy to brute-force. Let's face it: Passwords are better at locking out legitimate users these days than attackers. Most user's passwords are one or two common names or words from a dictionary, some numbers, probably between 1 - 1000 and likely consecutive or repeated numbers, and maybe one symbol. An average computer can run through all possible combinations of those in less than the time it takes to make a cup of tea.

2FA needs to be a combination of "something you know" and "something you have" -- any other way just doesn't provide much additional security.

On the site's side, they can provide some additional security for the users who don't want to use 2FA: identifying and blocking or slowing down brute force attacks, using heuristics based on IP geolocation, etc... and, of course, properly salting and hashing passwords for storage. But the onus is still on the user... as the weakest link just becomes another site they are using with the same password.